Omg help please, cant get a cert, hostname issues

Ive got all my sites-enabled vhosts in separate confs for all my hosts, both 443 and 80, ssl-sites enabled in separate files too.

Im trying to renew and when I run certbot --update I am greeted with the following nonsense. ( a single s where my hostname should be, so selecting it obviously results in an undesirable error and failure to properly obtain or generate a certificate, keep in mind I actually need new certs, and I have already purged certbot and reinstalled fresh.

Which names would you like to activate HTTPS for?

1: s

This is on apache2 with Debian 8 jessie

{
ā€œtypeā€: ā€œurn:acme:error:malformedā€,
ā€œdetailā€: ā€œError creating new authz :: DNS name does not have enough labelsā€,
ā€œstatusā€: 400
}

I need to get that ā€˜sā€™ outta there and get my domain name where its supposed to be, I have no idea where this is stored, or how to clear it, or how to correct it.

Is this simply a matter of certbot trying to generate a cert based on the default vhost of /var/www/ in the apache.conf ?
I donā€™t think that it should considering all of my hosts are properly placed in the /etc/apache2/sites-enabled folder.

Any help moving forward to get this secured is greatly appreciated.

Hi,

Please fill in this form:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you

All of that information is right here,

http://www.squidblacklist.org

Debian 8 Jessie, Apache2

My hosting provider is not relevant to the issue at hand.

Okā€¦

What exact command do you execute before you encountered the issue?
certbot --update or certbot --renew

Thank you

P.S.

I canā€™t even reach your siteā€¦

ā€œConnection Refusedā€

Well, I tried a few things, but

certbot --update

Is the one resulting in the above output

Apache isn't starting because there are no ssl certificates...a problem which would be easily resolved, if I can get some certs...

Jun 19 14:57:49 squidblacklist.org systemd[1]: Failed to start LSB: Apache2 web server.
Jun 19 14:57:49 squidblacklist.org systemd[1]: Unit apache2.service entered failed state.
Jun 19 14:57:49 squidblacklist.org apache2[1296]: AH00526: Syntax error on line 29 of /etc/apache2/sites-enabled/default-ssl.conf:
Jun 19 14:57:49 squidblacklist.org apache2[1296]: SSLCertificateFile: file '/etc/letsencrypt/live/squidblacklist.org/fullchain.pem' does not exist or is empty

Or uncommented if you like

AH00016: Configuration Failed
[Tue Jun 19 15:00:15.383301 2018] [ssl:emerg] [pid 1514] AH02572: Failed to configure at least one certificate and key for s:443
[Tue Jun 19 15:00:15.383385 2018] [ssl:emerg] [pid 1514] SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[Tue Jun 19 15:00:15.383391 2018] [ssl:emerg] [pid 1514] AH02311: Fatal error initialising mod_ssl, exiting. See /var/log/apache2/error.log for more information

Ok.

A few things i would like to mention..

Your domain (www version) hasn't had a certificate for more than half a year now.
(The latest LE certificate i could see for this domain is from July 7, 2017
crt.sh | www.squidblacklist.org)

Also, it seems that sudo certbot --update is using vHosts pulled directly from apache..

So you might want to take a look at your vHost config... (You might set the wrong server_name in that vHost)

In this case.. try this command:
sudo certbot --apache -d squidblacklist.org -d www.squidblacklist.org
(This will try to obtain a certificate & install it) (However i'm afraid it would show as couldn't be installed due to no match in vHost)

P.S.
If the above command doesn't work, try sudo certbot certonly -d squidblacklist.org -d www.squidblacklist.org (This will obtain a certificate but not install it, so you would need to config the SSLcertificate path manually)

Thank you

Ok I found the entry causing the s: and I owe you an apology, it was at the bottom of a conf.

But, im still stuck.

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: squidblacklist.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

Ok I now have ssl up and running, thanks to the letencrypt project, thank you thank you.

So, I went back and ran the following command...

certbot --authenticator standalone --installer apache -d squidblacklist.org -d www.squidblacklist.org -d resolved.squidblacklist.org -d whitelists.squidblacklist.org -d tik.squidblacklist.org -d tikdns.squidblacklist.org -d standard.squidblacklist.org -d dns.squidblacklist.org -d diffs.squidblacklist.org -d dnsmasq.squidblacklist.org -d blog.squidblacklist.org -d zone.squidblacklist.org --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

And voila, everything SEEMS to be working now. BUT IT ISNT...

Now this is the problem...

Browsers are reporting to me that the ssl certificates have some kind of a problem and refuse to load the pages.. FAIL

Canā€™t connect securely to this page
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the websiteā€™s owner.
Try this:
Go back to the last page

Sites up, but only thanks to Cloudflares flexible ssl solution, the problem remains unsolved behind the WAF ladies and gentlemen.

1 Like

Difficult to say without more information.

Can you disable Cloudflare on one of the subdomains for a few minutes and run a https://www.ssllabs.com/ssltest/ scan?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.